Header graphic for print

HL Chronicle of Data Protection

Privacy & Information Security News & Trends

Posted in Cybersecurity & Data Breaches

Cybersecurity Vulnerabilities in the Life Sciences

While many of the recent most highly publicized data breaches have involved high-profile consumer brands, the life sciences sector is an increasingly attractive target for a cyber attack. Criminal attackers are targeting the health sector as part of industrial espionage programs and to obtain patient information that can fetch premium prices on the black market. In developing a cybersecurity strategy to combat potential threats, life sciences companies should employ a comprehensive strategy involving an assessment and analysis of likely risks, and active and continuing planning, training, and updating of cybersecurity strategies. Regulators have already signaled that cybersecurity risk assessments are foundational to meeting legal requirements and can define the baseline for what constitutes reasonable security measures within an organization.
Continue Reading

Posted in International/EU Privacy

CNIL’s New Role: Overseeing Website Blocking

shutterstock_322056467In an April 15, 2016 report, the French Data Protection Authority, the CNIL, provided details about its little-known responsibility as overseer of the French police’s website-blocking powers.  The French legislature gave the CNIL this new role in a November 13, 2014 law designed to enhance French police powers against terrorism. The 2014 law increased French police and intelligence agencies’ powers to collect data without a court order.  A lesser-known aspect of the November 2014 law is the provision that allows the French police to order ISPs to block websites that either provoke terrorist acts or support (provide an “apologia” or defense for) terrorism.  When the French police identify online content that violates these rules, they may order ISPs to block access.  The police also have this power with regard to child pornography. Search engines can also be ordered to delist content from search results. Continue Reading

Posted in International/EU Privacy

Why Brexit Will Not Happen (In Data Protection)

EU FlagThe thing about referendums is that the consequences of one outcome or another are likely to be rather disparate. If Brexit turns out to be rejected by the majority of the UK electorate, we will simply carry on as normal – quietly enjoying the benefits of the European Union whilst moaning about the threat that the EU poses to our peculiar way of life. It is a tried and tested state of affairs, all too familiar within the UK and on the Continent. If on the other hand, Brexit wins, it will surely be a jump into the unknown. An unknown seen as a black hole by some and a prosperous new world by others, but an entirely unfamiliar situation nonetheless. The point is that whatever happens in the UK on 23 June, the future will be very different depending on which side wins. Continue Reading

Posted in Consumer Privacy, Privacy & Security Litigation

Justices Rule That Injury In Fact Must Be Concrete, Requiring More Than A Statutory Violation

for-blogOn Monday, May 16, 2016, the Supreme Court of the United States issued its highly anticipated opinion in Spokeo, Inc. v. Robins, a case that examined the question of whether a plaintiff who sued for a technical violation of the Fair Credit Reporting Act (FCRA) could maintain Article III standing for a class action without claiming any real-world injury.  The case before the Court involved a putative class action brought against petitioner Spokeo, Inc., a company that generates profiles about people based on information obtained though computerized searches.  Respondent Thomas Robins was one of the people with a profile on Spokeo’s website.  According to Robins, the information on that profile was inaccurate.  Robins filed a class-action complaint against Spokeo in federal court, alleging violations of the FCRA, which requires consumer reporting agencies to “follow reasonable procedures to assure maximum possible accuracy of” consumer reports.  The Ninth Circuit held that by alleging the violation of a statutory right Robins had satisfied the injury-in-fact requirement of Article III standing. Continue Reading

Posted in International/EU Privacy

Regulators Announce International Investigation into Practices of Internet Connected Devices

shutterstock_314652596A number of data protection authorities (DPAs) around the globe have issued press releases confirming their involvement in the 2016 global privacy “sweep”, which kicked off on April 11th.  This year’s initiative involves a coordinated investigation by 29 DPAs into the practices of internet-connected (Internet of Things or IoT) devices, such as fitness and health trackers, thermostats, smart meters and TVs and connected cars.  The work is being coordinated by the Global Privacy Enforcement Network under the leadership of the UK Information Commissioner’s Office. Continue Reading

Posted in International/EU Privacy

European Commission Launches Public Consultation on the Evaluation and Review of the ePrivacy Directive

shutterstock_356121362On 12 April 2016, the European Commission launched a public consultation (the “Consultation“) on the ePrivacy Directive (2002/58/EC; the “epD“). Interested parties who wish to participate have until 5 July 2016 to submit responses to the Commission’s 33 questions.

Continue Reading

Posted in International/EU Privacy

Article 29 Working Party Sees Privacy Shield Glass Half Empty

shutterstock_285945950From the moment that the Chairman of the Article 29 Working Party, Isabelle Falque-Pierrotin, announced at a press conference on 3rd February this year that the Working Party would assess the standing of the EU-US Privacy Shield under EU law, privacy professionals have been waiting to see what the Working Party’s view would be.  Earlier this week, on 13th April, the Working Party provided their initial opinion.  On the one hand, the Working Party welcomed the significant improvements of the Privacy Shield as a positive step forward. Yet, on the other hand, the Working Party set out their strong concerns on the commercial aspects of the Privacy Shield and the ability for US public authorities to access data transferred under the Privacy Shield.  The opinion concluded by urging the European Commission to resolve these concerns and improve the Privacy Shield. Continue Reading

Posted in International/EU Privacy

GDPR Likely to be Adopted by the EU Parliament on 14 April 2016

shutterstock_318496325Last Friday, the EU Council has adopted its position at first reading on the data protection reform. This prepares the way for the final adoption of the legislative package which includes the General Data Protection Regulation (GDPR) by the European Parliament on 14 April 2016. This formal adoption by the EU Council comes after the compromise agreed with the European Parliament on 15 December 2015.

Continue Reading

Posted in Consumer Privacy

NTIA Commences Internet of Things Proceeding

shutterstock_310925975On April 5, 2016, the National Telecommunications and Information Administration (NTIA) initiated an inquiry to review the potential benefits and challenges presented by the Internet of Things (IoT). In its Notice and request for public comment (RFC), NTIA is seeking input on the current IoT technological and policy landscape with a goal of developing recommendations—in the form of a Green Paper—as to whether and how the federal government should play a role in fostering the advancement of IoT technologies.

Comments are due on or before May 23, 2016 at 5:00 p.m. eastern; parties across industry sectors are encouraged to comment.  Continue Reading

Posted in Health Privacy/HIPAA

FTC Releases Web Tool for Mobile Health App Developers

shutterstock_134749508The FTC released this week a web-based tool to assist mobile app developers in determining which federal privacy laws apply to their mobile health applications. The tool asks developers a series of ten targeted questions that help a user determine whether HIPAA, FTC, and/or FDA rules and regulations might apply.

The interactive developer tool presents users with questions that include topics such as:

  • the type of information the app will create, receive, maintain, and transmit
  • the type of entity creating the app (or on whose behalf the app is created)
  • the purposes of the app
  • the information the app will provide to consumers and/or patients

The answer to each question points the user to the laws and regulations that may likely apply to the app.  The tool also directs users to definitions for common regulatory terms, links, tips and guidance regarding compliance, and other federal agency resources. Continue Reading